b"OFFICE OF INSPECTOR GENERAL\n\n               Audit Report\n\nAudit of the Data Management Application Controls\n       and Selected General Controls in the\n     Financial Management Integrated System\n\n\n               Report No. 14-12\n              September 30, 2014\n\n\n\n\n RAILROAD RETIREMENT BOARD\n\x0c                                EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) for the Railroad Retirement Board (RRB)\nconducted an audit of data management application controls and selected configuration\nmanagement, segregation of duties, and contingency planning general controls in the\nRRB\xe2\x80\x99s Financial Management Integrated System (FMIS). The objective of our audit was\nto assess the adequacy of the controls.\n\nBackground\n\nIn October 2013, the RRB transitioned from a mainframe based financial management\nsystem to FMIS, a web-based, cloud hosted system. Data management components of\nan application include the logical design and physical architecture of the system, and\ncontrol the entry, storage, retrieval, and processing of information. In an effective\ninternal control environment, configuration management controls should be in place to\nensure adequate migration from an older system to a newer system; a contractor\xe2\x80\x99s\norganizational structure should have proper segregation of duties; and contingency\nplanning should ensure the continuity of operations if an unplanned interruption of\noperation occurs.\n\nFindings\n\nOur audit determined that the FMIS controls for data management, configuration\nmanagement (migration of the system), contractor segregation of duties, and\ncontingency planning are adequate; however, some control deficiencies exist. We\ndetermined that the RRB should:\n\n   \xe2\x80\xa2   create system specific procedures for access to the FMIS application;\n   \xe2\x80\xa2   update the FMIS System Security Plan to correct errors in control descriptions\n       and ensure missing controls are reflected; and\n   \xe2\x80\xa2   modify audit and accountability procedures to reflect current practice.\n\nAdditionally, an official from the Bureau of Fiscal Operations notified us that the RRB\nanticipates migrating their Program Accounts Receivable system to one that will fully\nintegrate with FMIS. Similar control deficiencies could occur during the course of that\nmigration if lessons learned are not effectively applied.\n\nRecommendations\n\nWe made eight recommendations to RRB management to address the control\ndeficiencies that we identified in the audit.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations concurred with three recommendations and partially\nconcurred with two. They consider the Financial Management System Security Plan as\n\n                                             i\n\x0cthe primary vehicle for control language and information, and will update that plan after\nconsulting with the FMIS contractor. They will also publish the necessary procedures for\nobtaining access to FMIS and provide the PAR migration team with the reported OIG\nfindings and recommendations, as well as other lessons learned documentation from\nthe FMIS migration.\n\nThe Bureau of Information Services concurred with the three recommendations\naddressed to their Bureau. They will review and modify the applicable policies and\nprocedures.\n\n\n\n\n                                            ii\n\x0c                                         TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY ............................................................................. i\nINTRODUCTION\n  Background .................................................................................................................. 1\n  Audit Objective ............................................................................................................. 2\n  Scope ........................................................................................................................... 2\n  Methodology ................................................................................................................. 2\n\nRESULTS OF AUDIT\n  Lack of System-Specific Procedures for Access to FMIS............................................. 4\n    Recommendations .................................................................................................... 5\n    Management\xe2\x80\x99s Responses ........................................................................................ 5\n    OIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response ........................................................ 6\n\n  FMIS System Security Plan Needs Updating ............................................................... 6\n    Recommendations .................................................................................................... 7\n    Management\xe2\x80\x99s Response.......................................................................................... 8\n    OIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response ........................................................ 8\n\n  Inaccurate Audit and Accountability Procedures for Audit Records and Logs .............. 8\n    Recommendations .................................................................................................... 9\n    Management\xe2\x80\x99s Response.......................................................................................... 9\n\n  Anticipated Migration of Program Accounts Receivable Application ............................ 9\n    Recommendation .................................................................................................... 10\n    Management\xe2\x80\x99s Response........................................................................................ 10\n\nAPPENDICES\n  Appendix I \xe2\x80\x93 Management\xe2\x80\x99s Response \xe2\x80\x93 Bureau of Fiscal Operations..................... 11\n  Appendix II \xe2\x80\x93 Management\xe2\x80\x99s Response \xe2\x80\x93 Bureau of Information Services ................ 14\n\n\n\n\n                                                                iii\n\x0c                                             INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of the\napplication controls for data management and selected general controls for\nconfiguration management, segregation of duties, and contingency planning in the\nRailroad Retirement Board\xe2\x80\x99s (RRB) Financial Management Integrated System (FMIS).\n\nBackground\n\nThe RRB is an independent agency in the executive branch of the Federal government.\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct and the Railroad Unemployment Insurance Act. The RRB paid $11.7 billion in\nretirement/survivor benefits and $84.5 million in unemployment and sickness insurance\nbenefits during fiscal year 2013. 1\n\nThe RRB uses its Financial Management System to record financial transactions and to\nsupport the preparation of the agency\xe2\x80\x99s annual financial statements. In October 2013,\nthe RRB transitioned from the Federal Financial System, a mainframe based financial\nmanagement system to FMIS, a web-based, cloud hosted system. FMIS, which is\nprovided by a contractor for the RRB and is owned by the agency\xe2\x80\x99s Bureau of Fiscal\nOperations (BFO), was authorized to operate by the RRB\xe2\x80\x99s Chief Financial Officer on\nSeptember 30, 2013. FMIS is the core system for budget formulation and execution,\nprocurement, payment and receivable management, general ledger management, debt\ncollection and external reporting. The other component application of the Financial\nManagement System is the Program Accounts Receivable (PAR) system.\n\nThe Federal Information System Controls Audit Manual (FISCAM), developed by the\nGovernment Accountability Office (GAO), provides a methodology for evaluating\ninformation system controls. 2 FISCAM has specific control objectives with audit\ntechniques and procedures for each of the control review areas to evaluate the\neffectiveness of the controls.\n\nData management components of an application include the logical design and physical\narchitecture of the system, and control the entry, storage, retrieval, and processing of\ninformation. Additionally, in an effective internal control environment:\n\n      \xe2\x80\xa2   configuration management controls should be in place to ensure adequate\n          migration from an older system to a newer system;\n      \xe2\x80\xa2   a contractor\xe2\x80\x99s organizational structure should have proper segregation of duties;\n          and\n      \xe2\x80\xa2   contingency planning should ensure the continuity of operations if an unplanned\n          interruption of operation occurs.\n\n\n1\n    Railroad Retirement Board Performance and Accountability Report, Fiscal Year 2013.\n2\n    Federal Information System Control Audit Manual (FISCAM), GAO-09-232G, February 2009.\n\n                                                       1\n\x0cThis audit supports the RRB\xe2\x80\x99s strategic plan to \xe2\x80\x9c[s]erve as responsible stewards for our\ncustomers\xe2\x80\x99 trust funds and agency resources\xe2\x80\x9d and includes an objective to \xe2\x80\x9censure\neffectiveness, efficiency, and security of operations.\xe2\x80\x9d This audit addresses controls that\nensure security of operations.\n\nThis audit will also directly support the OIG\xe2\x80\x99s mandated annual Federal Information\nSecurity Management Act (FISMA) evaluation and indirectly support the OIG\xe2\x80\x99s audit of\nthe RRB\xe2\x80\x99s financial statements. 3\n\nAudit Objective\n\nThe objective of this audit was to assess the adequacy of the data management\ncontrols and selected configuration management, segregation of duties, and\ncontingency planning controls in FMIS.\n\nScope\n\nThe scope of the audit was October 2013 through June 2014, and configuration\nmanagement controls over the system migration that took place in fiscal year 2013.\n\nMethodology\n\nTo accomplish the audit objective, we:\n\n      \xe2\x80\xa2   reviewed pertinent laws and guidance;\n      \xe2\x80\xa2   reviewed pertinent RRB policies and procedures to ensure compliance with laws\n          and guidance;\n      \xe2\x80\xa2   reviewed documentation and interviewed responsible agency management and\n          staff to gain an understanding of the internal controls placed into operation,\n          including those for data management;\n      \xe2\x80\xa2   reviewed the procedures used for obtaining access to FMIS;\n      \xe2\x80\xa2   reviewed the system development process used for FMIS migration;\n      \xe2\x80\xa2   reviewed the FMIS configuration management documentation to support\n          acceptance testing and system migration;\n      \xe2\x80\xa2   reviewed the contractor\xe2\x80\x99s organizational chart and access profiles to ensure\n          access privileges are properly segregated;\n      \xe2\x80\xa2   reviewed the procedures used for monitoring FMIS auditable events, including\n          methods for detecting abnormal activity; and\n      \xe2\x80\xa2   reviewed documentation to support the FMIS contingency plan.\n\n\n\n\n3\n    Federal Information Security Management Act of 2002, Public Law 107-347.\n\n                                                    2\n\x0cThe primary guidance for this audit included FISCAM, FISMA, and the National Institute\nof Standards and Technology (NIST) standards and guidance.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. We conducted our fieldwork at the RRB\xe2\x80\x99s headquarters in Chicago,\nIllinois from January 2014 through July 2014.\n\n\n\n\n                                           3\n\x0c                                   RESULTS OF AUDIT\n\nOur audit determined that the FMIS controls for data management, configuration\nmanagement (migration of the system), contractor segregation of duties, and\ncontingency planning are adequate; however, some control deficiencies exist. We\ndetermined that the RRB should:\n\n   \xe2\x80\xa2   create system specific procedures for access to the FMIS application;\n   \xe2\x80\xa2   update the FMIS System Security Plan (SSP) to correct errors in control\n       descriptions and ensure missing controls are reflected; and\n   \xe2\x80\xa2   modify audit and accountability procedures to reflect current practice.\n\nAdditionally, we were notified that the RRB anticipates migrating their PAR system to\none which will fully integrate with FMIS. This migration could potentially result in similar\ndeficiencies and risks.\n\nThe details of our findings and recommendations for corrective action follow.\n\nAgency management generally concurs with our recommendations. The full texts of\nmanagement\xe2\x80\x99s responses are included in Appendices I and II of this report.\n\nLack of System-Specific Procedures for Access to FMIS\n\nThere are no system-specific policies and procedures for acquiring access to FMIS.\nSystem-specific procedures for the Financial Management System were previously\nrecommended in 2009, but have not yet been established. Additionally, the existing\nRRB general policies and procedures for access control are outdated and do not reflect\nthe additional actions or notifications required to obtain access to the FMIS application.\nDuring the course of our audit, we observed that access requests for FMIS were not\nhandled timely.\n\nNIST Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for\nFederal Information Systems and Organizations, requires that agencies develop,\ndocument, and disseminate an access control policy that addresses purpose, scope,\nroles, responsibilities, management commitment, coordination among organizational\nentities, and compliance. This guidance also requires that agencies review and update\nthe current access control policy and procedures.\n\nThe FMIS application, implemented in October 2013, contains many more security roles\nand profiles than the Federal Financial System. The BFO FMIS administrator stated that\nhe is still learning the system, which is a continuing process as implementation of the\napplication continues. Presently, when an RRB employee requires access or a change\nin access, the BFO FMIS administrator reviews the access requested and will authorize\nthe contractor to implement that access. In the future, the BFO FMIS administrator will\nimplement the access without contractor assistance.\n\n                                              4\n\x0cThe RRB\xe2\x80\x99s Bureau of Information Services (BIS) is responsible for the general\ninformation security policies and procedures. The general policies and procedures for\naccess controls refer to special access procedures for external systems. These policies\nand procedures are published in four RRB documents: (1) Administrative Circular,\nInformation Resource Management-18, Information Security Policy; (2) Access Control\nPolicy; (3) Access Control Processes and Procedures; and (4) Appendix A \xe2\x80\x93 RRB\nSystem Access Policy.\n\nAll of these documents state that there are some external systems that have special\nprocedures for processing access requests; however, these documents do not include\nthe Financial Management System (which consists of FMIS and the PAR system) as\none of the external systems requiring special access procedures. The Chief Security\nOfficer informed us that BIS has been working with a limited staff, which has caused\nsome tasks such as reviewing, updating, and finalizing specific policies and procedures\nto be delayed. An additional employee is expected to begin work by the end of fiscal\nyear 2014.\n\nThe lack of system-specific policies and procedures can result in improper or\nunprocessed requests for access to the FMIS application. There is an increased risk of\nsecurity exposure and control gaps when policies and procedures are not reviewed and\nupdated timely.\n\nRecommendations\n\n   1. The Bureau of Fiscal Operations should ensure the BFO FMIS administrator\n      acquires the expertise to implement access or changes in access without\n      contractor assistance.\n\n   2. The Bureau of Fiscal Operations should implement system-specific procedures\n      for obtaining access to FMIS.\n\n   3. The Bureau of Information Services should update the four general policy and\n      procedure documents to include all systems requiring special access procedures.\n\nManagement\xe2\x80\x99s Responses\n\nThe BFO concurs with recommendations 1 and 2. For recommendation 1, they stated\nthe FMIS administrator has acquired the expertise to make routine implementations and\nchanges of access with the current security configuration supplied by the contractor, but\nwill continue to rely on support from the FMIS helpdesk for assistance in any\nmodifications to the current configuration.\n\nThe BIS concurs with recommendation 3. The Chief Security Officer will update (1)\nAdministrative Circular, Information Resource Management (IRM)-18, Information\nSecurity Policy; (2) Access Control Policy; (3) Access Control Processes and\nProcedures, and (4) Appendix A \xe2\x80\x93 RRB System Access Policy to include all systems\nrequiring special access procedures.\n                                            5\n\x0cOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nThe OIG\xe2\x80\x99s intention with recommendation 1 is to ensure the FMIS administrator is able\nto implement access or changes in access without contractor assistance. This would\ninclude situations where new or modified security configurations may be required.\n\n\nFMIS System Security Plan Needs Updating\n\nControl descriptions within the FMIS SSP are inaccurate or incomplete for some\ncontrols and need to be updated. The FMIS SSP also needs to be updated to include\nadditional controls required for moderate impact systems based on updates in NIST\nSP 800-53, Revision 4.\n\nWe identified the following inaccurate or incomplete control information within the\nFMIS SSP:\n\n    \xe2\x80\xa2   Access to the FMIS application is inaccurately shown as controlled by the RRB\n        Active Directory when it is not.\n    \xe2\x80\xa2   The list of applicable policies referenced for configuration management is\n        incomplete.\n    \xe2\x80\xa2   Incomplete control descriptions suggest that the control is fully inherited by either\n        the RRB or the contractor when they share responsibility for control\n        implementation.\n    \xe2\x80\xa2   New controls established in NIST SP 800-53, Revision 4, are not present in the\n        FMIS SSP. There is a one year grace period from the publication date of\n        April 2013 for the implementation of these new controls.\n\nNIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems,\nstates that the SSP should be reviewed annually to ensure current information about the\nsystem. Federal Information Processing Standards Publication 200, Minimum Security\nRequirements for Federal Information and Information Systems, specifies the minimum\nsecurity requirements as defined in NIST SP 800-53, Revision 4.\n\nRRB management did not ensure that the correct control language was documented in the\nFMIS SSP. The contractor prepared the FMIS SSP for the RRB in September 2013, just\nprior to system migration. Additionally, the FMIS SSP was based on the recommended\nsecurity controls outlined in NIST SP 800-53, Revision 3, as the one year grace period for\nimplementing new controls in Revision 4 had not elapsed. 4\n\nSince FMIS is a web-based, cloud hosted system, and the responsibilities for\ninformation security controls are performed by the contractor and/or the RRB, and both\n\n4\n Recommended Security Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 3,\nAugust 2009.\n                                                      6\n\x0cthe contractor and RRB have multiple organizations that perform these responsibilities,\nthe RRB should maintain the following documents detailing the information security\ncontrol environment for the Financial Management System, including FMIS:\n\n   \xe2\x80\xa2   The Financial Management System\xe2\x80\x99s Security Plan \xe2\x80\x93 This plan would include the\n       responsibilities of, or procedures implemented by, RRB staff for the controls that\n       are specific to the two component applications (PAR and FMIS). This document\n       would only have the detailed control information for the controls within the RRB\xe2\x80\x99s\n       Financial Management System\xe2\x80\x99s boundaries. For the controls that are inherited\n       or the portions of controls that are shared, this document would only refer to the\n       other documents that have responsibilities for those controls or portions of\n       controls. This document should be updated annually.\n   \xe2\x80\xa2   The Agency Enterprise General Information Support System\xe2\x80\x99s Security Plan \xe2\x80\x93\n       This plan would reflect the controls that are inherited by the Financial\n       Management System from the RRB\xe2\x80\x99s general support system. This document\n       should be updated annually.\n   \xe2\x80\xa2   The contractor\xe2\x80\x99s Information-as-a-Service Cloud System Security Plan \xe2\x80\x93 This\n       plan is prepared by the contractor and reflects the controls implemented by the\n       contractor for the infrastructure on which the FMIS application resides. This\n       document is available through the General Services Administration\xe2\x80\x99s Federal\n       Risk and Authorization Management Program (FedRAMP) website.\n   \xe2\x80\xa2   The FMIS Application System Security Plan \xe2\x80\x93 This plan would include the\n       responsibilities of, or procedures implemented by, the contractor\xe2\x80\x99s various\n       support teams for controls that are specific to the FMIS application. The\n       preparation of this SSP is currently not one of the procured services in the RRB\xe2\x80\x99s\n       contract, so a contract modification would be required. This document should be\n       updated annually.\n\nThe RRB has an increased risk of security exposures and control gaps when\nsecurity documents are inaccurate or not updated timely to reflect the current process.\nBy not reviewing and ensuring that the FMIS SSP accurately describes the security\ncontrols in place, there is a risk that the authorizing official will inappropriately consider\nthe system to be within acceptable risk measures established by the agency.\n\nRecommendations\n\n   4. The Bureau of Fiscal Operations should ensure that the control language within\n      the Financial Management Integrated System Security Plan contains accurate\n      and complete control information and includes all required controls from NIST\n      SP 800-53, Revision 4.\n\n   5. The Bureau of Fiscal Operations should request a contract modification to\n      include the preparation and annual update of the Financial Management\n      Integrated System Security Plan as part of the procured services and\n      deliverables.\n\n                                               7\n\x0cManagement\xe2\x80\x99s Response\n\nThe BFO partially concurs with recommendations 4 and 5. They consider the Financial\nManagement System Security Plan as the primary vehicle for control language and\ninformation for the Financial Management System, leveraging control language and\ninformation from the Agency Enterprise General Information Support System\xe2\x80\x99s Security\nPlan, the contractor\xe2\x80\x99s cloud security plan required for FedRAMP certification, and the\ncontractor\xe2\x80\x99s FMIS Application System Security Plan. The BFO will not contract for an\nannual update of the FMIS SSP, but will consult with the contractor on any update that\nmay be indicated from continuous monitoring of the Financial Management System.\n\nOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nThe OIG agrees with this alternative approach to ensuring accurate and complete\ncontrol information exists for FMIS.\n\n\nInaccurate Audit and Accountability Procedures for Audit Records and Logs\n\nThe RRB's Audit and Accountability Processes and Procedures document does not\nreflect the current process for the review of audit records and logs, and is inconsistent\nwith the RRB\xe2\x80\x99s Audit and Accountability Policy.\n\nThe section of the procedure document that relates to audit review, analysis, and\nreporting incorrectly states that audit records are reviewed annually when they actually\nare reviewed daily. In addition, the section for auditable events incorrectly states that\naudit records are reviewed annually, when it is actually the listing of auditable events\nthat is reviewed annually.\n\nNIST SP 800-53, Revision 4, requires that agencies review and update audit and\naccountability policies and procedures.\n\nRRB management did not ensure that the correct language was documented in the\nAudit and Accountability Processes and Procedures. The procedures have also never\nbeen finalized. BIS is responsible for the agency\xe2\x80\x99s information system security policies\nand procedures. The Chief Security Officer informed us that BIS has been working with\na limited staff, which has caused some tasks such as reviewing, updating, and finalizing\nspecific policies and procedures to be delayed. An additional employee is expected to\nbegin work by the end of fiscal year 2014.\n\nThe inaccurate Audit and Accountability Processes and Procedures document can\nresult in an untimely review of the audit records and audit logs. There is an increased\nrisk of security exposure and gaps in controls when policies and procedures are\ninconsistent or are not updated timely.\n\n\n\n\n                                             8\n\x0cRecommendations\n\n    6. The Bureau of Information Services should review the RRB\xe2\x80\x99s information security\n       processes and procedures for audit and accountability to ensure they properly\n       reflect the current practices.\n\n    7. The Bureau of Information Services should ensure the RRB\xe2\x80\x99s policies and\n       procedures are finalized and periodically reviewed and updated for accuracy.\n\nManagement\xe2\x80\x99s Response\n\nThe BIS concurs with recommendations 6 and 7. For recommendation 6 the Chief\nSecurity Officer will review the current processes and procedures for audit and\naccountability and ensure they properly reflect the current practices that are in place at\nthe RRB. For recommendation 7, the Chief Security Officer is in the process of\nperforming a review of all the RRB information security policies and procedures in\nIRM-18 and will have the review completed in fiscal year 2015. After the review has\nbeen completed, he will make certain that all of the policies and procedures have been\nfinalized as directed.\n\n\nAnticipated Migration of Program Accounts Receivable Application\n\nDuring the course of our audit, we were advised that the RRB is planning to migrate the\nPAR component application of the Financial Management System to a system that fully\nintegrates with FMIS. Funding for this project has been requested in the Congressional\nJustification of Budget Estimates for fiscal year 2015, and the RRB expects to begin\npreparing a Statement of Work in the near future.\n\nThe OIG has recently performed audits on the adequacy of the interface application\ncontrols and selected business process controls in FMIS, and reported similar\ndeficiencies as noted in this report. 5 Specifically, we reported:\n\n    \xe2\x80\xa2   the FMIS SSP did not adequately describe the interfaces and omitted\n        information about applications and systems that interconnect with FMIS;\n    \xe2\x80\xa2   policies and procedures were not clearly documented or maintained for FMIS\n        transaction processing;\n    \xe2\x80\xa2   selected business process controls for the preparation and approval of\n        accounting transactions were not operating and effective because only partial\n        or no supporting documentation was available;\n\n\n\n5\n Audit of the Adequacy of Interface Application Controls in the Financial Management Integrated System,\nReport No. 14-11, August 14, 2014.\n Audit of the Business Process Controls in the Financial Management Integrated System, Report No. 14-10,\nAugust 1, 2014.\n                                                  9\n\x0c   \xe2\x80\xa2   FMIS transactions had been modified by the Financial Systems Manager\n       contrary to BFO policy; and\n   \xe2\x80\xa2   FMIS security profiles were not always appropriate.\n\nLessons learned from the migration of FMIS can be effectively applied to reduce the risk\nof similar deficiencies when the RRB migrates to PAR.\n\nRecommendation\n\n   8. The Bureau of Fiscal Operations should consider and apply related OIG\n      recommendations and lessons learned from the FMIS migration when planning\n      for, and migrating to, the fully-integrated PAR application.\n\nManagement\xe2\x80\x99s Response\n\nThe BFO concurs with recommendation 8. They will provide the PAR migration team\nand Contracting Officer\xe2\x80\x99s Representative with copies of the OIG findings and\nrecommendations in this report and the OIG\xe2\x80\x99s audits on the adequacy of the interface\napplication controls and selected business process controls in FMIS, as well as other\nlessons learned documentation from the FMIS migration.\n\n\n\n\n                                          10\n\x0c     Appendix I\n\n\n\n\n11\n\x0c     Appendix I\n\n\n\n\n12\n\x0c     Appendix I\n\n\n\n\n13\n\x0c     Appendix II\n\n\n\n\n14\n\x0c"